On Wed, Oct 12, 2016 at 03:10:54AM -0400, Daniel Kahn Gillmor wrote: > > I don't think it's too much to ask that implementations be able to > reject a post-handshake CertificateRequest gracefully, even if they have > no intention of ever implementing a proper Client Certificate response.
Unfortunately, currently it is too much: One can't just send a message saying "NAK CertficiateRequest X", since that message is followed by Finished message, that is quite annoying to compute (even requires forkable hash, when nothing else requires that, and if one is to be able to freeze connection, requires very exotic features from hash implementation. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
